Implementing a  Single Sign-On  Solution

Implementing a Single Sign-On Solution PowerPoint PPT Presentation

  • Uploaded on
  • Presentation posted in: General

What is Single Sign-On . Single sign-on (SSO) is a specialized form of software authentication that enables a user to authenticate once and gain access to the resources of multiple software systems. . E-SSO. Enterprise single sign-on (E-SSO), also called legacy single sign-on, after primary user a

Download Presentation

Implementing a Single Sign-On Solution

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript

1. Implementing a Single Sign-On Solution Marcus Milligan, M.B.A., PMP Manager, Administrative Systems [email protected] Russ Little Manager, Web Systems [email protected]

2. What is Single Sign-On Single sign-on (SSO) is a specialized form of software authentication that enables a user to authenticate once and gain access to the resources of multiple software systems.

3. E-SSO Enterprise single sign-on (E-SSO), also called legacy single sign-on, after primary user authentication, intercepts login prompts presented by secondary applications, and automatically fills in fields such as a login ID or password. E-SSO systems allow for interoperability with applications that are unable to externalize user authentication, essentially through "screen scraping."

4. Web-SSO Web single sign-on (Web-SSO), also called Web access management (Web-AM) works strictly with applications and resources accessed with a web browser. Access to web resources is intercepted, either using a web proxy server or by installing a component on each targeted web server. Unauthenticated users who attempt to access a resource are diverted to an authentication service, and returned only after a successful sign-on. Cookies are most often used to track user authentication state, and the Web-SSO infrastructure extracts user identification information from these cookies, passing it into each web resource.

5. Federation Federation is a new approach, also for web applications, which uses standards-based protocols to enable one application to assert the identity of a user to another, thereby avoiding the need for redundant authentication. Standards to support federation include SAML and WS-Security.

6. Wouldn’t it be nice… If there were one application that did everything I needed? Or if all of my applications, vendors & partners would cooperate If someone would invent the ‘Magic Button’….

7. In Reality… Students’, Faculty and Staff need access to: Blackboard Portal WebCT – Learning Management System Questionmark’s Perception – Exam, Quiz tool WebAdvisor – Datatel’s Web Application delivering: Registration, e-commerce, Budget etc… Web Based e-Mail Intranet – Forms, Custom Applications, News, Reporting

8. Sticky Note Credentials System

9. Ultimate Hiding Spot…

10. Benefits: Users, Support Staff, and Company All Save Time! Users: The users can now simply run the application without having to remember a complicated logon sequence. They now can click the application icon and use the application. Instant Value: According to the Gartner Group report, 30% - 40% of support calls are due to password resets. Single Sign-On will immediately eliminate many of these types of calls. Reduce Support Costs: At a reported cost of $17 - $32 per call, that will translate into an immediate cost savings when using Single Sign-On. Security is also strengthened, since the users are no longer writing their application names and passwords on sticky notes or their desk calendar for all eyes to see.

11. Selecting a Solution Must be web based No client side agent, application or plug-in’s No coding for each SSO’ed application; non-invasive Vendor research Imprivata RSA Security Citrix Protocom Version 3’s Simple Sign-On

12. Vendor Research Imprivata E-SSO, Desktop solution Aprox $70,000 + $14,000 maintenance RSA Hardware only solution

13. Vendor Research Cont. Citrix Password manager both desktop and web based Extends AD schema, or uses local file No site license $107 per user 4,000 concurrent users $428,000 2,000 named users $106,800

14. Vendor Research Cont.. Protocom Desktop product, client required for all users Extends AD schema 2,000 staff and 50,000 students = $140,000 with $8,000 support

15. Vendor Research Cont… Version 3’s Simple Sign-On E-SSO with desktop client Web SSO in Beta No agent or plug-in for Web SSO Takes advantage of MS ADAM so the AD schema doesn’t need extended Dual key encryption Auditing and monitoring Site license for $60,000 if participant in beta

16. Project Planning Formed SSO Implementation team Project Manager - Marcus Technical Lead - Russ Technical Writer Systems Administrator Network Engineer Manager of Network Manager of Helpdesk Chief Information Security Officer Web Systems Architect

17. Role of Team Members Project Manager Leads project, regular meetings, primary contact with vendor, provides status reports, identifies risks, and manages resources. Technical Lead Liaison to vendor CTO and developers, leads resolution on technical issues, and integrates technology into current environment.

18. Role of Team Members Cont. Technical Writer Develop communications, email, flyer etc… Systems Administrator Responsible for provisioning SSO’ed applications. Network Engineer Learn the SSO administrator tool, troubleshoot, SSO build installs Manager of Network Design of hardware architecture

19. Role of Team Members Cont.. Manager of Helpdesk Train staff on troubleshooting procedures related to SSO Chief Information Security Officer Develops security policy concerning SSO, and audits SSO environment for potential risk Web Systems Architect Web development to support SSO integration with current architecture

20. Usability Study Utilized public computer lab 5 studies Cross Section of Faculty & Staff Random Students Business Class Computer Science Class Distance Learning Students (WebCT)


22. Usability Study Results What the single sign-on easy for you to use? Yes. Yes! I was unsure about it at first, but it seems to be a great product. Yes, it’s much easier to use than trying to remember different passwords. Yes, I love it! Yes much better than old version. The login enter was not easy to find, I love the single sign on. Yes, keep up the good work!!!

23. Usability Study Results Cont. Do you have any suggestions for improvement? No. Place warning message on those applications not included: tartan card, FACTS. After changing password, the screen should return to the main page. It stays on the password change screen with no clickable options. Try adding a finished button to return to the portal. Add Colleague as part of the single sign on for staff. Strip logoff out of email. Remove all password reset options. Logout should close out all browser windows. Logout button needs more visibility. There is no link to Distance Learning website when you click on ‘DL’ under Instructional Bookmarks. A screen asking “What’s my password under prospective student doesn’t make sense; you should have already used your password by this point. How do I know its my account being addressed in WebCT and imail. Is there any way to display the username on the screen. Don’t let them change their passwords.

24. Usability Study Results Cont.. Do you have any suggestions for communicating this new service to students? Communicate, communicate, communicate PC’s at Sinclair central may need reconfigured. What are the password policy requirements? I tried to change my password and there were no guidelines. I could not change my password! Add information about closing WebCT & perception windows on the my.sinclair logout page. Got to get their attention re password security and logout importance. Text-only at logon screen not enough. Include a flyer or magnet with book purchases. Maybe a screen saver message on all campus computers. Mass email to accounts, teacher announcements, several college briefings, past upcoming change in the announcements page, inform counselor staff. More on my.sinclair. Clarion article. An email message to students. Posters at Sinclair Central, registration and the divisional offices, allied health, business etc.. My students do not communicate via and instructors use WebCT directly.

25. Phased Approach Team decided on phased approach Phase 1 – Web e-Mail Phase 2 – BlackBoard Portal Phase 3 – WebCT & Perception Phase 4 - WebAdvisor

26. Implementation Timeline

27. Implementation Timeline

28. Implementation Timeline

30. Internal Marketing Targeted emails Faculty Staff Student workers WebCT administrators Intranet News In person meetings

31. External Marketing 4 Easel Mounted Color Poster boards with flyer pockets Placed in high traffic areas 8 Color Posters Placed in student activity center Mailbox where part-time faculty collect checks Brightly Colored Flyers Bookstore place in student plastic shopping bag Labs Registration

32. PC’s Wallpaper

33. Poster Board

34. Poster Board

35. External Marketing Cont. portal news PC’s wallpaper in labs Screen saver text Campus new article

36. PC’s Wallpaper

39. Training Vendor Onsite intensive work sessions for 3 days Second visit onsite for 2 days. Remote support - Constant No End User training – Simple communication is enough

40. Timing Release Registration Quarter breaks System work on production Staff schedules Adequate testing Stability

41. Develop Parallel Test System Setup a duplicate system to mirror the production system 2 new test SSO servers Linked to test application servers They do share the AD and ADAM servers

42. Politics Concerns – Change is always uncomfortable for some Issues – Getting buy in from all parties Sponsorship - Executive Level AD is critical for access to everything Heightens fear especially in beta Tolerance level for Beta needs to be understood and defined

43. How Does it Work Technology Overview Integration AD – Active Directory ADAM – Active Directory Application Manager Non-invasive ISAPI filter

44. Demo

45. Automation Provisioning – Adds users to an application via SSO Password builds – auto generation and assignment Extracts – reused the existing upload files for applications Drop box for uploads – drop an extract in and it will provision automatically Macros – for setting up new applications Macro recorder

46. Hardware Architecture For SSO and ADAM 2 Compaq DL380 G3 servers with 2-2.8 GHz processors and 4 GB RAM. Load balanced behind 2 Foundry Server Iron switches. AD is on a cluster of other servers No changes to the target application servers

47. Security Issues Is it secure enough? Concerns Does one access point increase risk? Encryption increased or present for first time The overall system design is more secure now than it has ever been Password requirements

48. Support Internal Help desk SSO Implementation Team Vendor Access to Simple Sign-On developers Two in person visits

49. The Good Vendors support, fanatical Simple Easy to add new applications Custom Integration possible Increased security Increased user experience Reduced login related support calls

50. The Bad Small company, limited resources Beta, lots of revisions and bugs Constant change Low tolerance for beta software Roll backs Lack of parallel test system to start with

51. The Ugly Web browser issues Black and white lists Firewalls Diverse PC configurations Apple browser support Over coming change Learning curve for concepts

52. What's Next Add more applications Intranet One Card Online Card Office Payment Plan Integration of custom applications using the API

53. Q&A

54. References Reference: The Free Encyclopedia, Version 3,

  • Login